Common use of Privacy and Security Safeguards Clause in Contracts

Privacy and Security Safeguards. (a) Participant and the IHIN shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through the IHIN, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Agreement or required by law. To that end, each Participant and the IHIN shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized Personnel, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of health information; and (iv) provide appropriate security audit controls and documentation. Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and the Policies and Standards. (b) Participant and the IHIN shall each maintain reasonable and appropriate security practices, in accordance with the minimum standards and guidelines in the IHIN Security Policies established by the IHIN, with regard to all personnel, systems, and administrative processes used by each party to transmit, store and process electronic health information through the use of the IHIN. Participant and the IHIN each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through the IHIN. (c) Participant shall notify the IHIN within seven (7) days of Participant’s receipt of any adverse audit findings related to Participant’s participation in the IHIN and the resolution of such findings. Participant shall notify the IHIN of any Security Incident relating to the IHIN interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from the IHIN within seven (7) days, and shall cooperate with the IHIN in investigating the incident and shall take such action to mitigate any breach or suspected breach. The IHIN shall notify Participant of any Security Incident relating to the Participant's Shared Protected Health Information of which the IHIN becomes aware, or any unauthorized use or disclosure of Participant's Shared Protected Health Information within, or obtained from, the IHIN of which the IHIN becomes aware, within seven (7) days of the IHIN becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s Shared Protected Health Information, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach.

Privacy and Security Safeguards. (a) Participant and the IHIN shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through the IHIN, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Agreement or required by law. To that end, each Participant and the IHIN shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized Personnel, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of health information; and (iv) provide appropriate security audit controls and documentation. Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and the IHIN Policies and Standards. (b) Participant and the IHIN shall each maintain reasonable and appropriate security practices, in accordance with the minimum standards and guidelines in the IHIN Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of the IHIN. Participant and the IHIN each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through the IHIN. (c) Participant shall notify the IHIN within seven five (75) days of Participant’s receipt of any adverse audit findings related to Participant’s participation in the IHIN and the resolution of such findings. Participant shall notify the IHIN of any Security Incident relating to the IHIN interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from the IHIN within seven five (75) days, days and shall cooperate with the IHIN in investigating the incident and shall take such action to mitigate any breach or suspected breach. The IHIN shall notify Participant of any Security Incident relating to the Participant's Shared Protected Health Information shared PHI of which the IHIN becomes aware, or any unauthorized use or disclosure of Participant's Shared Protected Health Information PHI within, or obtained from, the IHIN of which the IHIN becomes aware, within seven five (75) days of the IHIN becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s Shared Protected Health InformationPHI, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through IHIN Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with IHIN on issues related to this Agreement and with the eHealth Exchange DURSA; (iii) Transact Message Content only for permitted purposes as outlined in Restatement I of the DURSA (FINAL September 30, 2014); (iv) use Message Content received from another Participant in accordance with the terms and conditions of this Agreement; (v) as soon as reasonably practicable but no later than one (1) hour after discovering information that leads an IHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert IHIN to the suspected breach; and twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to IHIN; (vi) refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by IHIN or the Participant Account Administrator; and (vii) comply with the provisions outlined in Restatement I of the DURSA (FINAL September 30, 2014) and the eHealth Exchange Performance and Service Specifications and the Operating Policies and Procedures. These policies are available at the eHealth Exchange website available here: xxxx://xxxxxxxxxxxxxx.xxx/ehealthexchange/onboarding/.

Privacy and Security Safeguards. (a) Participant and the IHIN shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through the IHIN, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Agreement or required by law. To that end, each Participant and the IHIN shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized Personnel, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of health information; and (iv) provide appropriate security audit controls and documentation. Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and the IHIN Policies and Standards. (b) Participant and the IHIN shall each maintain reasonable and appropriate security practices, in accordance with the minimum standards and guidelines in the IHIN Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of the IHIN. Participant and the IHIN each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through the IHIN. (c) Participant shall notify the IHIN within seven five (75) days of Participant’s receipt of any adverse audit findings related to Participant’s participation in the IHIN and the resolution of such findings. Participant shall notify the IHIN of any Security Incident relating to the IHIN interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from the IHIN within seven five (75) days, and shall cooperate with the IHIN in investigating the incident and shall take such action to mitigate any breach or suspected breach. The IHIN shall notify Participant of any Security Incident relating to the Participant's Shared Protected Health Information shared PHI of which the IHIN becomes aware, or any unauthorized use or disclosure of Participant's Shared Protected Health Information PHI within, or obtained from, the IHIN of which the IHIN becomes aware, within seven five (75) days of the IHIN becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s Shared Protected Health InformationPHI, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through IHIN Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with IHIN on issues related to this Agreement and with the eHealth Exchange DURSA; (iii) Transact Message Content only for permitted purposes as outlined in Restatement I of the DURSA (FINAL September 30, 2014); (iv) use Message Content received from another Participant in accordance with the terms and conditions of this Agreement; (v) as soon as reasonably practicable but no later than one (1) hour after discovering information that leads an IHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert IHIN to the suspected breach; and twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to IHIN; (vi) refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by IHIN or the Participant Account Administrator; and (vii) comply with the provisions outlined in Restatement I of the DURSA (FINAL September 30, 2014) and the eHealth Exchange Performance and Service Specifications and the Operating Policies and Procedures. These policies are available at the eHealth Exchange website available here: xxxx://xxxxxxxxxxxxxx.xxx/ehealthexchange/onboarding/.

Privacy and Security Safeguards. (a) Participant and the IHIN OKSHINE shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through the IHINOKSHINE, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Participation Agreement or required by law. To that end, each Participant and the IHIN OKSHINE shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized PersonnelAdministrative Users, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of protected health information; and (iv) provide appropriate security audit controls and documentation. ; and Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and the Policies and StandardsOKSHINE Policies. (b) Participant and the IHIN OKSHINE shall each maintain reasonable and appropriate security practices, in accordance with at least the minimum standards and guidelines in the IHIN OKSHINE Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of the IHINOKSHINE. Participant and the IHIN OKSHINE each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through the IHINOKSHINE. (c) Participant shall notify the IHIN OKSHINE within seven five (75) days of Participant’s receipt of any adverse audit adverseaudit findings related to Participant’s participation in the IHIN OKSHINE and the resolution of such findings. As required through the Business Associate Agreement (Exhibit C), Participant shall notify the IHIN OKSHINE of any Security Incident relating to the IHIN OKSHINE interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from the IHIN OKSHINE within seven five (75) days, days and shall cooperate with the IHIN OKSHINE in investigating the incident and shall take such action to mitigate any breach or suspected breach. The IHIN OKSHINE shall notify Participant of any Security Incident relating to the Participant's Shared Protected Health Information shared PHI of which the IHIN OKSHINE becomes aware, or any unauthorized use or disclosure of Participant's Shared Protected Health Information PHI within, or obtained from, the IHIN OKSHINE of which the IHIN OKSHINE becomes aware, within seven five (75) days of the IHIN OKSHINE becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s Shared Protected Health InformationPHI, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through OKSHINE, Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with OKSHINE on issues related to this Participation Agreement and with the eHealth Exchange DURSA; (iii) Transact Message Content only for permitted purposes as outlined in Restatement II of the DURSA (FINAL August 13, 2019);